Delta- Complete  Reachability  Analysis  (Part  I) 


Sicun  Gao  Soonho  Kong  Edmund  M.  Clarke 

December  1,  2013 
CMU-CS-13-131 


School  of  Computer  Science 
Carnegie  Mellon  University 
Pittsburgh,  PA  15213 


Abstract 

We  give  a  new  framework  for  safety  verification  of  nonlinear  hybrid  systems,  based  on  delta- 
decidability  of  first-order  logic  formulas  over  the  real  numbers.  We  use  expressive  logic  formulas 
(which  can  contain  nonlinear  ODEs  with  no  analytic  solutions)  to  encode  bounded  model  checking 
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validation  problems  using  delta-complete  decision  procedures.  Such  techniques  allow  us  to  take 
into  account  of  robustness  properties  of  a  system  under  delta-bounded  numerical  perturbations. 
This  report  describes  Part  I  of  the  work,  focusing  on  basic  definitions  and  bounded  reachability 
problems. 
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1  Introduction 


Formal  verification  is  difficult  for  hybrid  systems  with  nonlinear  dynamics  and  complex  discrete 
control  [1,  9].  Few  modern  techniques  from  hardware  and  software  verification  have  seen  much 
success  on  hybrid  systems,  because  these  techniques  are  all  highly  dependent  on  scalable  logic 
solvers.  To  apply  them  on  hybrid  systems,  we  have  to  solve  logic  formulas  over  the  real  numbers 
with  (often  a  large  number  of)  nonlinear  functions,  which  is  highly  challenging  both  theoretically 
and  practically. 

In  recent  work  [7,  6],  we  have  shown  that  logic  formulas  over  the  real  numbers  become  much 
easier  to  solve  when  we  shift  our  focus  from  the  standard  decision  problem  to  the  5 -decision  prob¬ 
lem. :  Given  an  arbitrary  positive  rational  number  5,  we  ask  if  a  logic  formula  is  false  or  5 -true.  The 
latter  answer  can  be  given  if  the  formula  would  become  true  under  5-bounded  numerical  perturba¬ 
tions  on  its  constant  terms.  The  5-decision  problem  is  decidable,  with  reasonable  complexity,  for 
bounded  first-order  sentences  over  the  reals  with  arbitrary  Type  2  computable  functions,  such  as 
polynomials,  trigonometric  functions,  and  Lipschitz-continuous  ODEs  [17]. 

This  series  of  reports  describes  how  we  use  5-decidability  over  the  reals  to  develop  a  new 
framework  for  hybrid  system  verification. 

First,  5-decidability  results  enable  the  use  of  an  expressive  first-order  logic  signature,  which 
we  denote  as  to  represent  general  nonlinear  hybrid  systems.  Here,  CpT  allows  the  use  of 
arbitrary  Type  2  computable  real  functions,  which,  for  instance,  include  nonlinear  ODEs  that  only 
need  to  be  numerically  solvable.  Almost  all  existing  classes  of  hybrid  systems  that  have  been 
studied  in  the  literature  can  be  defined  through  restrictions  on  CpF. 

Next,  bounded  model  checking  and  invariant-based  reasoning  techniques  for  -representable 
hybrid  systems  are  naturally  expressed  as  decision  problems  for  -formulas.  The  key  observa¬ 
tion  is  that,  when  we  shift  to  solving  the  5-decision  problem  for  these  formulas,  the  verification 
results  are  not  weakened.  This  motivates  the  definition  of  5 -strengthened  versions  of  the  verifica¬ 
tion  techniques.  For  instance,  with  5-strengthened  bounded  model  checking,  we  always  obtain  one 
of  the  following  answers: 

•  Safe  (bounded):  The  system  does  not  violate  the  safety  property  within  a  bounded  time,  and 
a  bounded  unrolling  depth  (for  discrete  mode  changes). 

•  5-Unsafe:  Under  some  5-perturbation  on  its  £Kjr -representation,  the  system  would  violate 
the  safety  property. 

Thus,  when  the  procedure  returns  “safe”,  it  is  a  precise  answer  and  no  error  is  involved.  On  the 
other  hand,  when  we  choose  a  small  enough  5,  a  system  that  is  “5-unsafe”  exhibits  robustness 
problems.  Realistic  hybrid  systems  interact  with  the  physical  world  and  it  is  impossible  to  avoid 
slight  perturbations.  Thus,  under  5-perturbations  and  should  indeed  be  regarded  as  unsafe.  Note 
that  such  robustness  problems  can  not  be  discovered  by  solving  the  precise  decision  problem.  In 
short,  the  framework  turns  numerical  errors  into  stronger  verification  results. 

It  follows  from  5-decidability  that  5-strengthened  bounded  reachability  and  invariant  validation 
are  computable  for  general  nonlinear  hybrid  systems,  which  stands  in  sharp  contrast  to  the  standard 
undecidability  of  reachability  of  simple  systems.  Moreover,  after  bypassing  the  difficulties  with 
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exact  real  computations,  we  gain  a  better  understanding  of  intrinsic  properties  of  hybrid  systems. 

For  instance: 

•  There  exists  a  three-layer  complexity  hierarchy  for  bounded  reachability,  which  depends  on 
the  use  of  mode  invariants  and  nondeterministic  flows. 

•  The  search  for  sound  and  complete  rules  for  exact  checking  of  invariants  is  a  major  challenge, 
while  switching  to  the  ^-strengthened  version  allows  a  direct  logical  encoding. 

This  report  focuses  on  basic  definitions  and  theoretical  results  regarding  bounded  reachability. 

2  /^-Representations  of  Hybrid  Automata 

2.1  -Formulas 

We  will  use  a  logical  language  over  the  real  numbers,  written  as  £Rjr,  that  allows  arbitrary  com¬ 
putable  real  functions .  Computability  of  real  functions  is  a  notion  well-developed  in  Computable 
Analysis  [17].  Intuitively,  a  real  function  is  computable  if  it  can  be  numerically  simulated  up  to  an 
arbitrary  precision.  For  the  purpose  of  this  paper,  it  suffices  to  know  that  almost  all  the  functions 
that  are  needed  in  describing  hybrid  systems  are  computable:  polynomials,  exponentiation,  log¬ 
arithm,  trigonometric  functions,  and  also  the  solution  functions  of  Lipschitz-continuous  ordinary 
differential  equations.  Compositions  of  computable  functions  are  computable.  This,  as  we  will 
show,  makes  jCrt  very  powerful  and  can  express  almost  any  realistic  hybrid  system. 

Formally,  Crf  =  (J7,  >)  represents  the  first-order  signature  over  the  reals  with  the  set  T  of 
computable  real  functions,  which  contains  all  the  functions  mentioned  above.  Note  that  constants 
are  included  as  0-ary  functions.  CR;r -formulas  are  evaluated  in  the  standard  way  over  the  corre¬ 
sponding  structure  Mj-  =  (M,  7rR,  >R).  It  is  not  hard  to  see  that  we  can  put  any  /^-formula  in  a 
normal  form,  such  that  its  atomic  formulas  are  of  the  form  t(x i, ...,  xn)  >  0  or  t(x i, ...,  xn)  >  0, 
with  t(x i,  ...,xn)  composed  of  functions  in  T .  This  follows  from  the  fact  that  t(x)  =  0  can  be 
written  as  —  \t(x)\  >  0,  t(x)  <  0  as  —t(x)  >  0,  and  t(x)  <  0  as  —t(x)  >  0.  Also,  negations  in 
front  of  atomic  formulas  can  be  eliminated  by  replacing  ~>t(x)  >  0  with  —t(x)  >  0,  and  ->t(x)  >  0 
with  —t(x)  >  0.  To  avoid  extra  preprocessing  of  formulas,  we  can  explicitly  define  formulas 
as  follows. 

Definition  2.1  -Formulas).  Let T  be  a  collection  of  computable  real  functions.  We  define: 

t  :=  x  |  f(t(x)),  where  f  G  T  (constants  are  0-ary  functions ); 
p  :=  t(x)  >  0  |  t(x)  >0\p/\p\ip\/p  \  3  Xip  |  \/Xip. 

In  this  setting  -> p  is  regarded  as  an  inductively  defined  operation  which  replaces  atomic  formulas 
t  >  0  with  —t  >  0,  atomic  formulas  t  >  0  with  —t  >  0,  switches  A  and  V,  and  switches  V  and  3. 
Implication  pi  -A  p2  is  defined  as  ->p\  V  p2. 

For  any  £R;r-formula  p  with  n  free  variables,  we  write  [y?]  =  {a  G  Mn  :  p(a)  is  true  over  (M,  W  6,  >R 
)}.  If  p  is  a  sentence  (no  free  variables),  we  use  the  standard  notation  M  |=  p  to  denote  that  p  is 
true  over  M. 
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Definition  2.2  (Bounded  Quantifiers).  The  bounded  quantifiers  3  n,,J"  and\/'-u,v^  are  defined  as 

3 ^u,v^x.p  =df  3 x.(u  <  x  A  x  <  v  A  p), 

V^x.p  =df  \/x.((u  <  x  A  x  <  v)  — >  p), 

where  u  and  v  denote  terms,  whose  variables  only  contain  free  variables  in  p  excluding  x. 
Definition  2.3  (Bounded  /^-Sentences).  A  bounded  /^-sentence  is 

Q[l1,Vl]X  1  •  •  •  Q[fn’Vn]xn  lf(xh  ...,Xn), 

where  Q\Ll,v'^  are  bounded  quantifiers,  and  if(xi, ...,  xn )  is  a  quantifier-free  C^-formula. 

2.2  (5-Perturbations  and  <5 -Decidability 

Definition  2.4  (5-Variants).  Let  5  G  Q+  U  {0},  and  f  an  C^-formula  of  the  form 

f  :  Q['x  i  •  •  •  Qrfxn  ip[ti(x,  y)  >  0;  tfix,  y)  >  0], 

where  i  G  {1,  ...k}  and  j  G  {k  +  1, m}.  The  5-weakening  ifS  off  is  defined  as  the  result  of 
replacing  each  atom  ti  >  0  by  L  >  —5  and  tj  >  0  by  tj  >  —5.  That  is, 

fs  :  Q^x  1  ■  ■  ■  Q^Xn  f>[ti(x,  y)  >  -5;  tj(x,y)  >  -5]. 

It  is  clear  that  p  — ^  p5  (see  [7]). 

In  [7,  6],  we  have  proved  that  the  following  5-decision  problem  is  decidable.  This  result  serves 
as  the  basis  of  our  framework. 

Theorem  2.5  (5-Decidability).  Let  5  G  Q+  be  arbitrary.  There  is  an  algorithm  which,  given  any 
bounded  p,  correctly  returns  one  of  the  following  two  answers: 

•  “5-True”:  ps  is  true. 

•  “False”:  p  is  false. 

Note  when  the  two  cases  overlap,  either  answer  is  correct. 

We  now  turn  to  the  complexity  issues.  Informally,  a  real  function  is  (uniformly)  P-computable 
(PS PACE-computable)  over  a  compact  domain,  simply  if  it  can  be  numerically  computed  within 
polynomial- time  (polynomial-space).  Details  can  be  found  in  [14,  7].  It  suffices  to  know  that  many 
common  real  functions  are  P-computable,  which  includes  the  polynomials,  exp,  log,  sin,  etc.  The 
intuition  is  that  they  can  be  effectively  approximated,  for  instance  with  Taylor  expansions.  It  is  also 
shown  that  the  solution  functions  of  P-computable  Lipschitz-continuous  differential  equations  are 
PS  PACE-computable  [14]  (in  fact,  PS  PACE-complete  [13]). 

To  state  the  complexity  of  the  5-decision  problems,  we  recall  the  definition  of  the  relativized 
complexity  classes  and  polynomial  hierarchy.  The  polynomial  hierarchy,  relativized  to  a  set  A,  is 
defined  as  (l£)A  =  (n£)A  =  PA,  (I^+1)A  =  NP^)A,  and  (n^+1)A  =  coNP^)A. 

Theorem  2.6  (Complexity  [7]).  Let  S  be  a  class  of  CpF-sentences,  such  that  for  any  p  in  S,  the 
functions  in  p  are  in  complexity  class  C.  Then,  for  any  5  G  Q+,  the  5-decision  problem  for  bounded 
T^n-sentences  in  S  is  in  (Tjjc. 
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2.3  Hybrid  Automata  with  /^-Representations 

Hybrid  automata  extend  finite  automata  with  continuous  dynamics.  We  first  show  that  C^T- 
formulas  can  be  used  as  a  concise  and  natural  representation  of  general  hybrid  systems. 

Definition  2.7  -Representation).  A  hybrid  automaton  in  representation  is  a  tuple 


H  =  (X,  Q,  {floWq(£,  x0,  t):  qE  Q},  {inv,(f)  :  q  E  Q}, 

{jump^g,(f,x)  :q,q  E  Q},  (init9(f)  :  q  E  Q}), 

where  X  C  W'  for  some  n  E  N,  and  Q  =  {q\. ....  qm }  is  a  finite  set  of  modes,  and  the  other 
components  are  sets  of  quantifier-free  -formulas. 

Almost  all  hybrid  systems  studied  in  the  existing  literature  can  be  defined  by  restricting  the 
signature  T .  For  instance, 

Example  2.8  (Linear  and  Polynomial  Hybrid  Automata).  Let  Tv"  =  {+}  U  Q  and  Jrr>oly  = 
{x}  U  (Rational  numbers  are  considered  as  0- ary  functions.)  In  existing  literature,  we  say  H 
is  a  linear  hybrid  automaton  if  it  has  an  £R  -representation,  and  a  polynomial  hybrid  automaton 
if  it  has  an  £r  ly  -representation. 

Example  2.9  (Nonlinear  Bouncing  Ball).  The  bouncing  ball  is  a  standard  hybrid  system  model. 
The  point  of  the  example  is  to  emphasize  that  nonlinear  components  can  be  written  directly  in  the 
jCrt- representation. 

Hbb  =  (X,  Q,  flow,  jump,  inv,  init) 

where 

•  X  =  M2  and  Q  =  { qu ,  qd}. 


f\owqu(x0,v0,xt,vt,t): 


(xt  =  x0+  v(s)ds)  A  (vt  =  v0  +  /  g(  1  -  f3v(s)2)ds ) 


(\ovjqd(xo,vo,xt,vt,t): 


(xt  =  X0  + 


v(s)ds)  A  (vt  =  v0  + 


g(l  +  fiv(s)2)ds) 


Jo  Jo 

where  (3  is  a  constant.  Note  that  the  integration  terms  define  Type  2  computable  functions, 
and  can  be  directly  used  in  -formulas. 


•  \\impqd_^qu(x,  v,  x' ,  v'): 

.  ,  ,  C7T  .  . 

x  —  0  A  v  —  v  ■  expl - )  A  x  =  x 

2mu)d  ^ 

}umpqu^qd(x,v,x',v'): 

v  =  0  A  x'  =  x  A  v'  =  v 


•  initqd  :  x  —  10  A  v  —  0. 

•  i nvgd  :  x  >=  0  A  v  >=  0  and  in v9u  :  x  >=  0  A  v  <=  0. 
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2.4  Hybrid  Trajectories 

Trajectories  of  hybrid  systems  combine  continuous  flows  and  discrete  jumps.  This  motivates  the 
use  of  a  hybrid  time  domain,  with  which  we  can  keep  track  of  both  the  discrete  changes  and  the 
duration  of  each  continuous  flow. 

Definition  2.10  (Hybrid  time  domain).  A  hybrid  time  domain  is  a  subset  of  N  x  M  of  the  form 

Tm  =  {(i,t)  :  i  <  m  and  t  G  R,  t[\  or  [ttl  +oo)}, 

where  m  G  N  U  {+oo},  {f*}™  0  ^  an  increasing  sequence  in  M+,  t0  =  0,  and  t'i  =  U+ 1. 

Definition  2.11  (Hybrid  Trajectories).  Let  X  C  M"  be  an  Euclidean  space  and  Tm  a  hybrid  time 
domain.  A  hybrid  trajectory  is  any  continuous  function  £  :  Tm  — >  X. 

To  define  trajectories  of  hybrid  systems,  we  use  a  labeling  function  crcH(i )  to  map  a  step  i  to 
the  corresponding  discrete  mode  in  H .  In  each  mode,  the  system  flows  continuously  following  the 
dynamics  defined  by  flow(Vy,  x0,  t ).  Note  that  (t  —  tf)  is  the  actual  duration  in  the  k- th  mode.  When 
a  switch  between  two  modes  is  performed,  it  is  required  that  + 1,  tk+\)  is  updated  from  the  exit 
value  £(k,  t'k)  in  the  previous  mode,  following  the  jump  conditions. 

Definition  2.12  (Trajectories  of  a  Hybrid  Automaton).  Let  H  be  a  hybrid  automaton,  Tm  a  hybrid 
domain,  and  £_  :  Trn  X  a  hybrid  trajectory.  We  say  that  £  is  a  trajectory  of  H  of  discrete  depth 
m,  written  as  j  G  [if],  if  there  exists  a  labeling  function  :  N  — >  Q  such  that: 

•  For  some  q  G  Q,  <7^#(0)  =  q  and  Rf  |=  init9(f(0,0)). 

•  For  any  (■ i,t )  G  Tm,  f=  inv^  t)). 

•  For  any  (i,  t )  G  Tm, 

-  When  i  =  0,  Rj-  \=  f low90  (^(0,  0) ,  ^(0,  t) ,  t) . 

-  When  i  =  k  +  1,  where  0  <  k  +  1  <  m,  we  have 

Mj-  (=  flow^H  (fc+i  )(£,(k  +  1,  ffc+i),  ^(/c  +  1  ,t),(t  —  ffc+i)), 

|=  jump<TfjH(fc)_,(TeiH(fc+1)(^(A:, t'k),£(k  +  1, 4+i))- 
We  can  write  the  time  domain  Tm  off  as  T(f). 

Remark  2.13  (jump  vs  inv).  The  jump  conditions  specify  when  H  may  switch  to  another  mode. 
The  invariants  (when  violated)  specify  when  H  must  switch  to  another  mode.  They  will  lead  to 
different  logical  encodings  in  reachability  analysis. 
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2.5  ^-Perturbations 


The  key  benefit  of  using  -representations  for  describing  hybrid  automata  is  that  operations  on 
the  logic  formulas  can  be  directly  transferred. 

Definition  2.14  (5-Perturbations).  Let  5  E  Q+  U  {0}.  Suppose  H  =  ( X ,  Q,  flow,  jump,  inv,  init)  is 
an  -  rep  re  sen  tat  ion  of  hybrid  system  H.  We  define  the  5-weakening  ofH  as 

H 5  =  (X,  Q,  flow5,  jump5,  inv5,  init5). 

Example  2.15.  The  5-weakening  of  the  bouncing  ball  automaton  has  its  component  formulas  by 
their  5-weakening.  For  instance,  flow^Xo,  v0,  xt,  vt,  t)  is 

\xt-{x0+[  v(s)ds)\  <  5  A  \vt  -  (vQ  +  [  g(l  -  /3v(s)2)ds))\  <  5, 

J  0  Jo 

and  jurupj^jx,  v,  x' ,  v')  is 

C7T 

b|  <  5  A  \v'  —  v  ■  exp( - )|  <  5  A  \x'  —  x\  <5. 

It  is  important  to  note  that  the  notion  of  5-perturbations  is  a  purely  syntactic  one  (defined  on  the 
description  of  hybrid  systems),  instead  of  a  semantic  one  (defined  on  the  trajectories).  Note  that 
the  syntactic  perturbations  naturally  lead  to  a  semantic  over-approximation  of  H  in  the  trajectory 
space: 

Proposition  2.16.  For  any  FI  and  5  E  Q+  U  {0},  [if]  C  [. H 5], 

Proof  Let  £  E  {HJ  be  any  trajectory  of  H.  Following  Definition  2.4,  for  any  sentence  ip,  we 
have  p  -E  ps.  Since  £  satisfies  the  conditions  in  Definition  2.12,  after  replacing  each  formula  by 
their  5-weakening,  we  have  £  E  J//'5].  □ 

Proposition  2.17.  The  5-weakening  of  any  hybrid  automaton  is  nondeterministic. 

2.6  Reachability 

The  safety /reachability  problem  for  hybrid  systems  can  now  be  formally  stated  as  follows. 

Definition  2.18  (Reachability).  Let  H  be  an  n-dimensional  hybrid  automaton,  and  U  a  subset  of 
its  state  space  Q  x  X.  We  say  U  is  reachable  by  H,  if  there  exists  £  G  [if]  with  its  time  domain  T 
and  labeling  function  of?,  such  that  there  exists  (■ i,t )  G  T  satisfying  (of  (i).  £(z.  t))  E  U. 

The  bounded  reachability  problem  for  hybrid  systems  is  defined  by  restricting  the  continuous 
components  and  time  duration  to  a  bounded  domain,  and  the  number  of  discrete  transitions  to  a 
finite  number. 
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Definition  2.19  (Bounded  Reachability).  Let  H  be  an  n-dimensional  hybrid  automaton,  whose 
continuous  state  space  X  is  a  bounded  subset  of  Rn.  Let  U  be  a  subset  of  its  state  space.  Let 
k  G  N  and  M  G  R.  The  (k,  M)-bounded  reachability  problem  asks  whether  there  exists  £  G  [[//]] 
with  its  time  domain  T(f)  and  labeling  function  a^,  such  that  there  exists  (i,  t )  G  T(f)  with  i  <  k, 
t  =  U  where  ti  <  M,  and  (cr^ty),  £(i,  t))  G  U. 

Remark  2.20.  By  ‘  ‘step  ”,  we  mean  the  number  of  discrete  jumps.  We  say  H  can  reach  U  in  k 
steps,  if  there  exists  j  G  [//]  that  contains  k  discrete  jumps,  entering  and  exiting  the  continuous 
flows  in  k  +  1  modes. 

In  the  seminal  work  of  [3,  2],  it  is  shown  that  the  bounded  reachability  problem  for  simple 
classes  of  hybrid  automata  is  undecidable.  Note  that  a  common  restriction  in  the  existing  study  is 
that  all  constants  are  rational  numbers,  which  does  not  need  to  be  the  case  in  our  definitions. 


3  Bounded  Reachability 

In  this  section  we  study  the  bounded  5 -reachability  problem  and  how  to  solve  it  practice.  At  the 
core  of  our  framework  is  the  correspondence  between  5-reachability  problems  of  hybrid  systems 
and  5-decision  problems  of  -formulas. 

3.1  Encoding  Bounded  Reachability  in 

We  first  show  how  to  encode  bounded  reachability  using  -formulas.  The  encoding  is  mostly 
standard  bounded  model  checking.  However,  in  hybrid  systems  the  invariant  conditions  and  non¬ 
determinism  in  the  continuous  flows  play  a  special  role. 

We  say  a  hybrid  system  H  is  invariant-free  if  inv  =  0.  We  say  H  has  nondeterministic  flow  if 
for  some  q  G  Q,  there  exists  a0,  at ,  a't  G  Rn  and  t  G  R  such  that  at  a't  and  R  |=  flow(?(a0,  at,  t) 
andR  f=  flowg(a0,  a't,  t). 

Definition  3.1  (Unsafe  Region).  We  use  unsafe  =  {unsafe^  :  q  G  Q}  to  denote  the  C^-representation 
of  a  subset  of  H.  For  each  q  G  Q,  we  have  ([unsafe^],  q)  —  U  fl  (X  x  {g}).  We  also  write 
[unsafe]  =  \Jq£Q [unsafe]  x  {q}. 

Now  we  define  the  encoding  for  three  cases:  hybrid  systems  that  have  trivial  invariants,  non¬ 
trivial  invariants  with  deterministic  flow,  and  nontrivial  invariants  with  nondeterministic  flow. 

Systems  with  no  invariants.  We  start  with  the  simplest  case  for  hybrid  systems  with  no  invari¬ 
ants.  We  define  the  following  formula  that  checks  whether  an  unsafe  region  is  reachable  after 
exactly  k  steps  of  discrete  transition  in  a  hybrid  system. 
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Definition  3.2  (fc-Step  Reachability,  Invariant-Free  Case).  Suppose  H  is  invariant-free,  and  U  a 
subset  of  its  state  space  represented  by  unsafe.  The  C^-formula  Reach  n,u(k,M)  is  defined  as: 


q£Q 


k 


A  V  V  UnSafe<M,g)- 


*=0  q £Q 


Intuitively,  the  trajectories  start  with  some  initial  state  satisfying  init9(x0,9)  f°r  some  q.  In  each 
step,  it  follows  flow q(xi,q,  x[q,  t )  and  makes  a  continuous  flow  from  xt  to  x\  after  time  t.  When  H 
makes  a  jump  from  mode  q'  to  q,  it  resets  variables  following  jumpq,_5>(?(a^.  ,  Xk+i,q>). 


Figure  1 


Systems  with  invariants  and  deterministic  flows.  When  the  invariants  are  not  trivial,  we  need 
to  ensure  that  during  each  continuous  flow,  the  system  always  stays  within  the  invariants.  Such 
checking  requires  universal  quantification  over  time. 

Definition  3.3  (fc-Step  Reachability,  Nontrivial  Invariant  and  Deterministic  Flow).  Suppose  H 
contains  invariants  and  only  deterministic  flow  ,  and  U  a  subset  of  its  state  space  represented  by 
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unsafe.  The  CpF-fonnula  Reach ujj(k.  M)  is  defined  as: 

3xf0,,o3%w  ■  ■  ■  3xf„,,„3x4,Jm  ■  ■  ■  3xa,,„3-’f4,s„3'»’"l«0  ■ . .  3'°’MA. 

V  (init,(£0,?)  A  flow?(xo,q,  Xqq,  to)  A  V^0,t°kVxx  (flow q(x0i„x,t)  ->  inv,(i)) 

q&Q 


k- 1 

AA(  V  (jUmPg^?'(^,?f^+l,9')  Afl0W5'(^+l,«'f^+l,9'^i+l) 

i=0  <j,<j'SQ 

AV[°’t<+i]fVxx(fl o\Nqf(xi+i!q',x,t)  — >  inv9/(a;)))  j  j 

k 

A  V  V  unsafe<?(4,g)- 

i=0  q£Q 


The  extra  universal  quantifier  for  each  continuous  flow  expresses  the  requirement  that  for  all 
the  time  points  between  the  initial  and  ending  time  point  (t  e  [0,  t,  +  1])  in  a  flow,  the  continuous 
variables  x  must  take  values  that  satisfy  the  invariant  conditions  inv, ,(:?). 


Systems  with  invariants  and  nondeterministic  flows.  In  the  most  general  case,  a  hybrid  system 
can  contain  nondeterministic  flow.  When  that  is  the  case,  for  each  time  point,  there  is  multiple 
possible  values  for  the  continuous  variable.  Yet  it  is  not  correct  to  universally  quantify  over  all 
such  possible  values,  because  only  one  trajectory  is  needed.  This  problem  is  solved  by  introducing 
an  additional  level  of  existential  quantification. 


Definition  3.4  (k- Step  reachability,  Nontrivial  Invariant,  Nondeterministic  Flow).  Suppose  H  con¬ 
tains  invariants  and  nondeterministic  flow,  and  U  a  subset  of  its  state  space  represented  by  unsafe. 
The  Cj  j. -formula  Reach iuj(k.  M )  is  defined  as: 


^\xrn  .  .  .  qXT.-j  qX-rf  ■■■z\xr,  q[°>Mly-n .  .  .  q[°>M]+, 

3  •iO,<20=l  X0,<JO  3  3  Xfc,(Jm=l  t0  3  Lk ■ 


V  init9(fo,?)  A  flaw9(x0) q,^ q,t0 ) 

q&Q  \ 

AV[oq0]iV[i,to]t/qXfqXf/ 


nVg(T)  A  inv9(x/)flow9(x,  x \  {t'  —  t ))  A  flowg(T0,g,  x ,  t)  A  flowg(T/,  ,  tn 


k- 1 


AA(  V  Aflow^(fi+1;g/,^+1(7,,ti+1) 

*=0  \  q,q'GQ 

Ay[0,u+i]t\/[t,u+i]  t,3xx3xx/ 


^invg/(T)  A  invg/(x/)  A  flow9/(a?,  if,  (£'  —  t))  A  flowy/(Ti+i)g/,  x,  t )  A  flowg/(if,  x*+l  g,,  f') 


k 

A  V  V  unsafe<?(fU- 

i=0  gSQ 
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Figure  2 

Intuitively,  at  each  time  point,  the  innermost  existential  quantifier  asks  for  an  assignment  to  the 
continuous  variables  x  such  that:  first,  there  is  a  flow  from  the  initial  state  in  this  step  to  the  current 
assignment,  as  encoded  by  f\o\Nqfxi+1^,  x,  t);  second,  from  the  current  assignment  there  is  a  flow 
to  xl+1  ,,  the  value  that  the  continuous  variables  are  supposed  to  take  after  the  rest  of  the  flow. 

In  the  next  section  we  will  use  these  encodings  to  connect  between  5 -reachability  and  5- 
decision  problems  of  the  corresponding  -formulas. 

3.2  (5-Complete  Bounded  Reachability  Analysis 

Lemma  3.5.  Let  5  G  Q+  U  {0}  be  arbitrary.  Suppose  H  is  a  hybrid  system,  U  a  subset  of  its  state 
space  represented  by  unsafe,  and  Reach H,u(k,M)  encodes  (k,  M)-bounded  reachability.  Let  H, 
U,  k,  M  all  be  arbitrary. 

We  always  have  M.  f=  (Reach//  u(k.  iff,  there  exists  a  trajectory  £  G  [if5]  such  that  for 

some  ( k,t )  G  TM(£),  (£(M),^(*))  G  [unsafe5]. 

Proof.  We  prove  by  induction  on  k,  for  the  most  general  case  of  systems  with  nontrivial  invariants 
and  nondeterministic  flows.  The  simpler  cases  then  automatically  hold. 

(i)  Case  k  —  0.  Suppose  Reach^  ^(0,  M)  is  true.  Then  there  exists  q  G  Q,  aQ,  G  (T  A" 
and  t0  G  M+  (T  [0,  M\  such  that  for  ali  t  G  [0,  t0\,  there  exists  a(t)  G  X  satisfying: 

init5(ao)  Aflow5(ao,  c?0,  to)  Aflow5(ao,  a(t),  t)  Aflow5(a(t),  a*,  to~t)  A  inv9(a(t))  A  unsafe5(a/). 

Note  that  there  is  no  discrete  jump.  Accordingly,  set  a  trajectory  £  to  be: 

£(0,0)  =  a0,£(0,to)  =  4 

and  for  all  time  point  t  G  [0,  to],  £(0 ,t)  G  a(t).  Following  Definition  2.12  and  Definition  2.7, 
£  G  {H5},  and  £(0,4)  e  [unsafe5]. 

On  the  other  hand,  suppose  there  is  a  £  G  [if5]  such  that  £(0,t0)  is  in  [unsafe^]  for  some 
t0  G  [0,  M],  We  set  a0  =  £(0,  0),  —  £(0,  t0).  Then  following  the  conditions  that  £  satisfies  in 

Definition  2.12,  for  every  t  G  [0,  to],  there  is  a(t)  such  that  flow5(a0,  a(t),  t)  and  flow5(a(f),  atl  t). 
Consequently,  Reach^  ^(0,  M )  is  true,  witnessed  by  these  assignments. 
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(ii)  Case  k  >  1.  Suppose  Reach 8HU(k,  M)  is  true.  Then  there  exists 

qo,--,qk  e  Q,  4, 4,  •••>4,4  G  X,  and  to, t*.  e  [0,  M] 

such  that  for  all  tqo  G  [0,  t0],  ...,tqk  G  [0,  tk\  there  exists  a(tqo ), 44)  G  X  satisfying: 

initio)  Aflow5(a0,4,4)  A  flowj(a0,  a(t),t)  A  flow5Q(4f),  4, 4  ~t)  A  invJQ(a(f)) 
Ajump^gi(4,ai)  A  •  •  •  A  flow5fei(4-i,  4-i>  4)  A  flow^fe_i  (4-i,  a(tqkl),t) 

Af|owLi(®(^-i  )>4,  (^-i  -  *)) A  invLi(®(4fe-i)) 

AjumpJfe  i^gfc(4_i,  4)  A  flow^(afc,  4,  tk)  A  flowJfc(afc,  44),  4) 

AflowJfc(a(t,fc_i),4,  (4-i  “*))  A  invLi(“(4))  A  unsafe^ (a*). 

Now,  to  perform  induction,  we  truncate  the  last  step  in  the  formula  and  define  a  new  region  U' 
represented  by: 

unsafe^*)  =  }umpqk  l^qk(x,dk)  Aflow?fc (4,4,4)  Af|owgfe(4,44)>4) 

Af|ow9fc(a(4_i),a|,  (4-i  -  4  A  inV-i(44))  A  unsafe9fe(4)- 

We  then  see  that  the  formula  Reach 5HUi(k  —  1,  M)  is  true,  as  simply  witnessed  by  the  trace  above, 
using  the  new  formula  unsafe*^  to  represent  the  last  transition: 

initq(4)  A  flow5(a0,  4,4)  A  flow5(4,  d(t),t)  A  flow5Q(44  4,4  —  t)  A  in v5o(44) 

Ajump^gi(4,4)  A---  Aflow^_i(4_i,a4i4o)  AflowJfc  i(4_i,a(4_i),f) 
AflowLi(“(4-i)>4>  (4-1  -  t))  A  inVgfc_i(a(4-1))  A  (unsafe^i(4_i))5. 

Consequently,  by  inductive  hypothesis,  there  exists  a  trajectory  £/._]  G  [/J5]  that  reaches  the  region 
U' .  Now,  we  extend  £fc_!  with  the  assignments  in  the  fc-the  step,  i.e.: 

t  =  4-i  U  {(k,  a(4))  :  t  G  [0, 4]} 

where  a(0)  =  4, 44)  =  4-  We  now  obtain  £  G  [/4]  such  that  £  reaches  the  region  represented 
by  unsafe5. 

On  the  other  hand,  suppose  there  is  a  trajectory  £  G  [Tf*5]  such  that  £  reaches  the  region 
represented  by  unsafe5.  Again,  following  an  argument  similar  to  the  above,  and  Definition  2.12  we 
can  find  the  sequence  of  assignments  that  witnesses  the  formula  Reach SHU{k,  M )  to  be  true.  □ 

Now  we  can  easily  show  that  the  bounded  5-reachability  problems  is  decidable  for  any  C^T- 
representable  hybrid  system. 

Theorem  3.6  (Decidability).  Let  5  G  Q+  be  arbitrary.  There  exists  an  algorithm  such  that,  for  any 
hybrid  system  C^-represented  by  H  and  an  unsafe  region  U  -represented  by  unsafe,  solves 
the  (. k ,  M)-bounded  5-reachability  problem  for  H  for  any  given  bounds  (Gi,MG  M+. 
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Proof.  We  need  to  show  that  there  is  an  algorithm  that  correctly  returns  one  of  the  following 
answers: 

•  safe:  H  does  not  reach  the  region  represented  by  unsafe  within  the  (k,  M)-bound; 


•  5-unsafe:  Hs  reaches  the  region  represented  by  unsafe5  within  the  (k.  M)-bound. 


For  this,  we  only  need  to  solve  the  5-decision  problem  for  the  formula  Reach^  v(i ,  M),  from  which 
we  obtain  an  answer  of  either  ip  is  false,  or  ip  is  5-true  (Theorem  2.5). 

•  Suppose  <p  is  false.  Then  we  know  that  for  any  i  <  k.  Reach HtU{i,M)  is  false.  Using 
Lemma  3.5  for  the  special  case  5  =  0,  we  know  that  there  does  not  exist  a  trajectory  £  G  [if]  that 
can  reach  U  within  i  steps,  and  consequently  the  system  is  safe  within  the  (k,  M)-bound. 

•  Suppose  (p  is  5-true,  we  know  that  there  exists  i  <  k  such  that  Reach‘d  v(i,  M)  is  true.  Using 

Lemma  3.5  for  5  G  Q+,  we  know  that  there  exists  a  trajectory  £  G  [ H5}  that  can  reach  the  region 
represented  by  unsafe5  in  i-steps,  i.e.,  within  the  (k,  M)-bound.  Q 

From  the  structures  of  the  -formulas  encoding  5-reachability,  we  can  obtain  the  following 
complexity  results  of  the  reachability  problems. 

Theorem  3.7  (Complexity).  Suppose  all  the  functions  in  the  description  of  H  is  in  complexity 
class  C.  Then  deciding  the  (k,  M) -bounded  5 -reachability  problem  is  in 

•  NPc  /br  an  invariant-free  H; 

•  (E^)c/or  H  with  nontrivial  invariants  and  deterministic  flows; 

•  (S^)c  for  H  with  nontrivial  invariants  and  nondeterministic  flows. 

Proof.  It  is  clear  that  the  logic  structures  of  the  Reach n,u(k,  M)  formulas  in  the  three  cases  are  Els 
S2,  and  S3  respectively.  Consequently,  using  complexity  results  for  Theorem  2.6,  the  complexity 
of  the  5-decision  problems  resides  in  NPC,  (Tiff,  and  (L:£)c  respectively. 

The  missing  step  here  is  that  the  Reach H,u(k,  M)  formulas  are  of  exponential  length,  because 
of  the  enumeration  of  all  possible  paths  through  the  discrete  modes  requires  an  exponential  number 
(mk+1,  where  m  is  the  number  of  discrete  modes  in  H)  of  copies  of  the  continuous  variables.  Thus 
the  Reach H,u(k,  M)  encodings  do  not  provide  a  polynomial-reduction  to  the  5-decision  problems. 

Observe  that,  however,  we  can  nondeterministically  select  single  paths  through  the  modes.  This 
is  just  what  we  did  in  the  proof  of  Lemma  3.5.  Here  we  show  how  to  do  this  for  the  E3  case  of 
nontrivial  invariants  and  nondeterministic  flows  and  the  other  cases  are  subsumed.  Nondetermin¬ 
istically,  we  can  choose  a  sequence  of  modes  q0, ...,  qk  G  Q  and  solve  the  5-decision  problem  for 
the  formula: 


12 


Now,  this  formula  is  polynomial  in  H,  unsafe,  k,  M.  Thus,  we  can  use  the  nondeterministic 
machine  to  randomly  first  select  such  a  formula  in  polynomial  time,  and  <5 -decide  its  truth  value, 
which  is  in  (E^)0.  Thus,  the  complexity  of  the  5 -reachability  problem  is  still  in  (Eg)11  for  this 
case.  □ 

Corollary  3.8.  For  linear  and  polynomial  hybrid  automata,  the  bounded  5 -reachability  problem 
ranges  from  being  UP -complete  to  E3  -complete  for  the  three  cases.  For  hybrid  automata  that  can 
be  C\:T- re  presented  with  whose  T  contains  the  set  ofODEs  defined  P -computable  right-hand  side 
functions,  the  problem  is  PS  PACE -complete. 

Proof.  The  results  come  from  the  fact  that  the  complexity  of  polynomials  is  in  P,  and  the  set  of 
ODEs  in  questions  are  PS  PACE-complete.  □ 
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